Running Linux and Netfilter on Nokia IP Series Hardware

A tutorial for setting up some open-source software on market leading, proprietary firewall hardware.

/etc/sysconfig/network-scripts/ifcfg-eth[n]

If the desktop PC has only one Ethernet interface, the Red
Hat installer creates only one network config file for eth0,
located at /etc/sysconfig/network-scripts/ifcfg-eth0. The Nokia has
three network interfaces, however, so ifcfg-eth0 should be copied
to ifcfg-eth1 and ifcfg-eth2 in the /etc/sysconfig/network-scripts
directory. Each of these files needs to be edited to contain the
correct interface names, IP addresses and MAC addresses. Interface
eth0 under Linux corresponds to eth-s3 under IPSO, eth1 to eth-s4
and eth2 to eth-s5. To each of the ifcfg-eth[n] files add the line
MACADDR=<MAC> where
<MAC> is the original MAC address, as
reported under IPSO before the Nokia disk was formatted. This
mitigates the problem of the Ethernet driver not being able to read
the MAC addresses directly out of the EEPROM chips.

Operation

If all has gone well up to this point, it now is time to shut
down the desktop system and return the drive to the Nokia machine.
Be sure to re-attach the top of the IP330 case to keep the CPU cool
during intensive operations, such as a kernel compile. The four
fans at the back of the machine are effective only when the case is
sealed, and a good way to demonstrate this point is to try
consecutive kernel compiles without the top attached. The CPU
usually overheats and causes the machine to crash during the first
compilation attempt. With the case properly secured, the number of
consecutive kernel compiles has no affect on the stability of the
machine, which is what one would expect.

Before booting the IP330, reinstall the desktop disk in the
desktop PC and boot into Linux. Use the serial cable to connect the
two serial ports on the two systems and run minicom. Recall the
serial port settings we specified in /etc/lilo.conf, and configure
minicom to match.

Now we are ready to boot Linux on the IP330. After the memory
test is finished (which can be interrupted by pressing the ESC key
twice) the familiar LILO boot prompt should be displayed and then
the kernel boot sequence happily flows past. After the sequence is
finished, init gets a chance to run and eventually a login prompt
is displayed (see Resources).

Even though we are successfully running Linux on the IP330 at
this point, it still is a good idea to recompile the kernel from
scratch in order to put the operating system through its paces.
This helps to ensure Linux is indeed stable on a hardware platform
not specifically designed to run Linux. Besides, an added bonus is
the 256MHz processor probably allows enough time to grab a quick
sandwich during the recompilation process.

iptables

With the Nokia up and running, connect it to the network and
test by pinging another host on the same network; use your default
gateway or the Linux desktop machine, if necessary. Then execute
the command:

iptables -A INPUT -p icmp -i eth0 -j LOG

Ping the host again, and this time iptables log messages
should show up in the /var/log/messages system log when the icmp
echo reply packets reach the firewall.

To test the filtering ability of iptables, execute the
following command and then try to ping the host again:

iptables -A INPUT -p icmp -i eth0 -j DROP

The reply packets now should be logged and dropped, so the
ping does not succeed. We have established that iptables can both
log and filter traffic, but we have one more test to run:

Execute the ping once more, and it should work once again
even though both the log and drop rules still are in effect. This
illustrates the stateful capability of iptables, in which packets
associated with legitimate network traffic are let through and no
log messages are generated (see Resources).

Software Installation

Depending on the specific application of the IP330 in your
network, you may require software additional to what is listed
here. But, at a minimum you probably want to download and compile
the latest versions of the OpenSSL libraries, OpenSSH and the
iptables user space code. If you require the Nokia to become part
of an OSPF area, install the
Zebra routing
dæmon. If you require the Nokia to failover to
another machine, install
Keepalived and
configure it to run VRRP. The VRRP implementation of Keepalived is
particularly good. It is extremely easy to put one or all three
interfaces on the Nokia into a "sync group" that failovers all
interfaces if the link on any particular interface is lost. If you
require the Nokia to form an endpoint for an IPSEC VPN, install
FreeSWAN (see Mick Bauer's Paranoid Penguin columns from the
January and February 2003 issues of LJ for an
excellent exposition on FreeSWAN). One of the biggest advantages to
running Check Point Firewall-1 is the GUI interface, which makes it
easy to configure a firewall policy. Firewall Builder provides
similar functionality for iptables, and Mick Bauer covers it in the
May issue of Linux Journal.

Comment viewing options

In the coreboot project www.coreboot.org is a solution for the IP530 to run Coreboot, Seabios and Sgabios. This enables the IP530 to boot any OS. I'm currently running debian linux on it. Status of the hardware versus the bios, all on-board hardware is supported, so 4x NIC, 2 slot PCMCIA/Cardbus, two serial ports, dual IDE-HDD controller,

This may not be the correct answer, but when I spoke to Nokia tech support today about the hard disk size limitation on my IP530, this is what he responded:

===================================================================

The Ip530 can either support up to a 32gig HD or a 40 gig HD.

Any customer with an IP530 serial numbers prior to 9N0229XXXXX) that requests replacement or secondary drives should be supplied with FRUNIY0503FRU (32GB). Customers with IP530 serial numbers after 9N0229XXXXX should be supplied FRU NIY0502FRU (40GB).

You can view and update your case by logging onto the Nokia Support Web at https://support.nokia.com or by replying to this email. Please do not edit the subject or reply-to fields of your email response.

I have managed to use VMWare to create a fixed image the same size of the drive I use and use winimage to copy the vmware image. I'm using IPCop but have Endian Firewall on one of my IP330's as well. I use a usb to ide converter for the actual drive slaving for direct imaging when done making the vmware image. I like the usb bridge because it's quick and when I plug it into my SuSE box, the three ext3 partitions automount in /media and I can then edit the necessary files for making it work in the Nokia. The reason I don't just install IPCop directly to the physical drive is because VMware sees usb driven drives as scsi. Obviously once the drive is in the nokia hooked up normally, drive sd will not make sense as it will look for hd since it really is an ide. I did have to change the extension of the .vmdk image to .vhd so winimage would see it. Anyway you look at it, a flat image the exact size of the hard drive is just a hard drive image, you must configure vmware to make it act as an ide so you actually get a proper ide hd image. The variable image size which is default would likely create all sorts of errors. Another way with Vmware is to actually slave the nokia drive into an ide ribbon, boot back up, install whatever you plan to run on the Nokia in VMware using that physical drive and yes it will warn you about this. The USB ide adapter and using Winimage is the easiest way if you have the adapter since there is no shutting down the host machine and opening it.
I keep seeing people say that the Nokia IP330 uses a K6-2 266. I own two and they are both 400mhz and the 256 you see in the bios is actually how much L2 cache it has as the actual speed is not echoed out with this rather terse bios. My IP330's are both IP2331's which is the platform model. I notice some say that their IP330's are actually IP2330's which is the same platform as the P050 which cost next to nothing on ebay these days. BTW, of my two IP2331's, one motherboard is Rev A and the other is Rev B. Technically, it is the OS that determines if it is an IP330 or whatever. I do think the firewall/router distros such as IPCop, Smoothwall, Endian (based on IPCop but more tweakable), Monowall and PFsense (almost there) will be ideal for this hardware. With any of these running on this platform, at least the 400mhz versions, the firewalled throughput is around 80 to 90mbs. VPN would drop that down but your average firewall/router you buy for a couple hundred at the computer store would throughput much less. Don't be fooled by the 10/100 port as this is just line speed and does not indicate what the device can really pass through it. If people only knew how choked some of them (book size with wall wart power supply) really are, they would be appalled.
Optional hardware: The front is a 3U 32 bit cPCI (Compact PCI) bay and the os sees this the same as any other 32 bit pci bus, the exception is that it is hotpluggable and all recent Linux kernels support this. The one in the rear is a 32 bit PMC bay, also a 32 bit PCI bus but you have to take the unit apart to place a PMC module in there so that would be one you would want to use for something that you are not likely to change. Adapters DO exist to use standard pci devices in either PMC or cPCI bays but you cannot put a pci card on a cPCI adapter and hotplug it but at least you can use regular pci hardware.
Why do this at all? Because we can and the hardware can be had cheap now. Never mind whether we should or not, what fun is that?

I have played around with Nokia IP130 and Endian firewall distro. I managed to make hardware to boot with endian and was able to connect with serial terminal to it.

Mine method was install Endian on a intel 400mhz laptop with intel NIC. I disabled USB and PCMCIA detection during setup. After installation and few tweaks for a serial and grub i switched HD to mine nokia ip130.

Mine problem recards with ethernet not showing up. e100 Driver wont load due the checksum error. Any hints how to proceed?

I do have also a problem that terminal connection is not reliable ... it acts funny quite often. What i should double check?

Another tweak i needed to do was related to grub. I needed to disable showing of that fancy bootscreen during endian boot up.

Excellent article. I too have a spare IP330 laying around that I would like to put Linux on. I have tried debian, gentoo, FreeBSD and OpenBSD but I cannot get the OS to boot. I don't have a standard serial cable to use, but I do have the Nokia supplied cable.

You don't need a "Nokia" supplied cable. All you need is a DB9 female/female null modem serial cable. These can be picked up for approximately $2.50 at most online vendors (try www.sfcable.com as one source).

With Donald Becker's eepro100 driver, all three interfaces come up, but the MAC address for all three is set to FF:FF:FF:FF:FF:FF, the driver reports an invalid EEPROM checksum, and I cannot set the proper MAC addresses with ifconfig (as your instructions specify). I've posted a more complete description of everything I tried to comp.os.linux.hardware.

It sounds like you have tried everything to get the Becker driver
to work (eepro100-diag, etc.). For the Becker driver I don't really
have any additional suggestions. However, in my testing I was also able to get the Intel e100 driver to work after disabling the
checksum verification code directly within the driver (I also got
the "corrupted EEPROM" message). Here is a trivial patch that
disables the checksum verification (unfortunately I don't have the
version number of the driver code that matches this patch since I
did the work for the article several months ago). However, it should be easy to get the patch to work against other versions of the e100 driver.

BTW, thanks for reading the article. Let me know how it turns
out or if you have other questions please don't hesistate to send
me email. (I tried responding your meconomou@cchmc.org address but encountered a mail loop.)

Hi,
I have an IP350 and I need to run a Linux 2.6 on it.
I did the e100 module modification.
The module is loaded and I can see the link status up when I connect the cable.
I set the MAC and the IP address with ifconfig.
Then I can see paquet going out off the IP350, but it seems that the module does not see the incomming traffic. I did a tcpdump in promiscus mode and i can't see anything.
On the remote PC, I can see the ARP-who-has sent by the IP350 and the response.

I tried the eepro100 module, but whit it, the link status is not handled.
Is anyone have a way to solve?

I have a few recently acquired ip350 units and I did get it to boot up on IPCop 1.4.11. I got the eepro100 module to load and also was able to assign the mac addresses I saved from the ipso 3.7 install. Only trouble is it would neither receive nor send packets. I downloaded various iterations of the e100 driver since I have a developer version of IPCop running in VMWare and in one instance, I could receive packets but not send. That's the closest I got so far. BTW, the Intel chips are i82559er. I wish we could get more documentation on the hardware itself since Nokia is discontinuing the IP350 and IP380 near the end of November. The pcmcia controller is a Ti 1225 which behaves as it does in many laptops, it does not have an irq set by the bios. The yenta driver in the 2.4 kernel is next to impossible to route irq's with since it does not do well with options. In the 2.6.10 and newer kernels, it should work much differently. Some actually compile the kernel without the yenta driver in 2.4, this supposedly forces the driver in the pcmcia_cs to be compiled instead. This makes the IP330 look so easy. I do like the slide out board of these though, it takes only seconds for me to open it, pop the drive off the board and plug it into a usb to ide bridge with a 2.5" drive adapter on my linux box and I can edit files and change driver modules easily enough. The saddest part about the i82559er chips is that they are better supported in BSD than in Linux. Intel doesn't even list the driver for Linux on this chip but the newer compatible cousin, the i82551er chip does have a Linux driver listed. That said, the idea of finding a quad gigabit pmc adapter looks attractive.

I should have probably been more clear in the article about my motivation for getting Linux to run on the Nokia:

1. My current employer has purchased over 400 of these devices and so buying support to upgrade to newer versions of IPSO costs a _lot_ of money.

2. Upgrading IPSO is not something that can be brushed aside, especially if a vulnerability is found in a part of the OS that _forces_ you to upgrade. This actually happened to us.

3. I did not claim the Nokia was a particularly nice piece of hardware (see the "Hardware Specifications" paragraph). Of course one could go out and buy any modern 1U machine and it will certainly out perform a four-year-old Nokia IP 330 and cost many times less. However, if you are an organization (like mine) that already has the hardware lying around and would like to make use of it, why not put Linux on it?

What a tremendous waste of time to even do this. First of all the only value that Nokia's IPSO even provides in the first place, is that it is a harden OS that is compiled to match prefectly to the Nokia hardware. Nokia platforms are running by today standards, very slow processors, you could pick up a Intel server on eBay for a 1/4 of the price of a Nokia. The only thing that could be a bigger waste of time, would be running your corporate firewalls on converted X-Boxes... Get a life people, spend some money on a real firewall... If your data is worth so little, buy a Netscreen

This is just about the most pointless thing you can do with a Nokia box. If you want to run a firewall on linux, just buy a well built intel box and stick quad nics and gig ports into it. Don't spend several thousand over the odds for a pc from Nokia

I suppose that the point is to run it on the old IP330 which came with AMD K6-2/266 and 64M RAM, but even in this case it is pointless, because IPSO is far more better than Linux (except filtering itself which is not stateful).

IPSO supports both IGP and EGP routing protocols, has a simple traffic shaper, fault management, You can run mrtg and squid, build proxies using netcat, use ntp for time sync and a lot of other things. I can't imagine running RedHat or any other Linux (maybe IpCop, but I am not sure) instead robust high quality security focused and more stable operating environment.

Any problems with the CDROM in the IP330? Mine doesn't have an option under the HDD for CDROM, I have set it to auto. Boot sequence is setup to CDROM,C,A but doesn't seem to want to boot. I know the CDROM is good and the CD is bootable.

I purchased a second hand IP330 and unfortunately the IPSO image was destroyed through an upgrade. - All I get now from a console connection is a flashing cursor with "AT" displayed on the screen.

I want to install linux on the machine but I don't have the original Nokia console cable - thus can't see the BIOS to change the boot order. - Nore do I have the experience of fiddling with Kernels etc.

I have tried the dd command on another Linux box, but I'm a newbie and couldn't even get the second hard drive to mount!!!

Someone told me the ISPO files system is encrypted?

Anyhow,does anyone know of a tech support company in the UK that would be prepared to help for a low cost charge?

In case you're still wondering what to do about this problem, here is the answer:
This is an install via terminal, so when the installer comes up don't use text install but put this line in "linux console=ttyS0,9600" this will then show you the rest of the install.
Cheers,
Tristan Delsol

Trending Topics

Upcoming Webinar

Getting Started with DevOps - Including New Data on IT Performance from Puppet Labs 2015 State of DevOps Report

August 27, 2015
12:00 PM CDT

DevOps represents a profound change from the way most IT departments have traditionally worked: from siloed teams and high-anxiety releases to everyone collaborating on uneventful and more frequent releases of higher-quality code. It doesn't matter how large or small an organization is, or even whether it's historically slow moving or risk averse — there are ways to adopt DevOps sanely, and get measurable results in just weeks.